I'd argue that domain registrars, CAs, and hosting services _should_
have an obligation to deny services to obvious phishing domains. [1]
(This is independent of what (if any) obligations they might currently
have.) Phishing continues to be epidemic. It is not enough that some
user agents attempt to prevent users from following suspected phishing
links.
How this obligation should be implemented is an involved question that
I'm not prepared to address. The first step, though, is establishing the
principle that registrars, CAs, and hosting services are not mere pipe
utilities with no obligations to prevent obvious malefactors from
injecting sewage into them.
-R
[1] No, electric utilities, etc., should not also be obligated to deny
them electricity, etc. This would require an impractical (and
privacy-invading) level of investigation. An electric-utility customer
does not submit a list of domain(s) to the electric utility to obtain
service. A phisher _does_ submit such a list to its registrar, CA, and host.
On 8/13/2020 11:59 AM, Paul Walsh via dev-security-policy wrote:
On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
"Every domain should be allowed to have a certificate ***regardless of
intent***.”
They are the most outrageously irresponsible words that I’ve heard in my career
on the web since 1996 when I was at AOL, and sadly, I’ve heard them more than
once. I just can’t get my head around it. To me, those words are akin to
someone saying that masks, Bill Gates, 5G and vaccinations are all dangerous -
totally stupid and not in the best interest of society.
So in your opinion, what is wrong with every domain being allowed to
have a certificate? What are your opinions on every domain being
allowed TCP connections, IP addresses, its domain itself, and
electricity? Is the certificate somehow standing out in your opinion?
Why should it? If it was so easy for CAs to detect problematic
domains, why isn't it for the domain registries/registrars? Why isn't
the domain itself the problem but somehow the certificate is?
[PW] Good questions. Perhaps you could answer mine first? That is, why would a
company not want to reduce the risk of their service being abused? Asking me to
explain why they should, seems counterproductive. It’s like asking me why I
should stop a man from kicking a child in the head. Answer = it’s the right
thing to do, even if I don’t have to.
“Why isn’t it for the domain registries/registrars”. They should all try to
reduce the risk of malicious domains being registered, and/or react when
someone complains about abuse.
When a domain is proven to be used for malicious activity it’s generally taken
down - at least by companies that play fair. Some types of TLDs are even
regulated to the point where you can’t buy a domain unless you have your
identity verified.
By deflecting the conversation to other stakeholders you’re participating in
“whataboutisim”. Let’s stick to why any company should not try to reduce the
risk of abuse.
- Paul
Tobi
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy